What is CVE-2025-7384 and which WordPress plugin does it affect?

CVE-2025-7384 is a critical security vulnerability with a CVSS score of 9.8 affecting the 'Database for Contact Form 7, WPforms, Elementor forms' WordPress plugin. This plugin is a database management tool for popular WordPress form builders that automatically saves form submissions to the WordPress database.

What can attackers accomplish by exploiting CVE-2025-7384?

Unauthenticated attackers can inject malicious PHP objects into the application and potentially delete critical WordPress configuration files. The most severe attack scenario involves accessing or deleting the wp-config.php file, which contains critical database credentials, security keys, and essential configuration settings.

How can users fix the CVE-2025-7384 vulnerability?

Users are advised to update their plugin to the latest version, which as of this date is version 1.4.5. This update addresses the vulnerability and should be applied immediately.

Are there any mitigation measures for CVE-2025-7384?

No, there are no mitigation measures available for this vulnerability. The only solution is to update the plugin to version 1.4.5 or later.

What is the CVSS score for CVE-2025-7384?

CVE-2025-7384 has a CVSS score of 9.8, which indicates it is a critical severity vulnerability that poses an extremely high risk to affected WordPress websites.

Why is CVE-2025-7384 considered particularly dangerous?

CVE-2025-7384 is particularly dangerous because it allows unauthenticated remote attacks with a critical CVSS score of 9.8, can lead to deletion of critical WordPress files like wp-config.php, potentially resulting in complete website compromise or remote code execution, and has no available mitigation measures other than updating the plugin.

Advisory

Critical WordPress plugin flaw exposes websites to takeover

Q: What causes the CVE-2025-7384 vulnerability?

The vulnerability is caused by improper handling of user input in the plugin's get_lead_detail function, which fails to sanitize data before performing deserialization operations. This flaw allows unauthenticated attackers to inject malicious PHP objects into the application without requiring any user credentials or special access.

Q: What happens if the wp-config.php file is deleted?

If the wp-config.php file is deleted, it can render websites completely inaccessible or, in certain configurations, provide attackers with opportunities to achieve remote code execution on the target server. This file contains critical database credentials, security keys, and other essential configuration settings for WordPress installations.

Q: Which versions of the plugin are affected by CVE-2025-7384?

All versions of the 'Database for Contact Form 7, WPforms, Elementor forms' plugin up to and including version 1.4.3 are affected by this vulnerability.

Q: Do attackers need authentication to exploit CVE-2025-7384?

No, CVE-2025-7384 allows unauthenticated attackers to compromise websites without requiring any user credentials or special access. This makes it particularly dangerous as anyone can potentially exploit it.

published: Aug. 14, 2025

Take action: If you use the "Database for Contact Form 7, WPforms, Elementor forms" plugin on any WordPress site, time to update NOW. You can't mitigate this flaw because the plugin is visible on the internet. So don't delay, the update is trivial.

Learn More

A security vulnerability is reported in "Database for Contact Form 7, WPforms, Elementor forms" WordPress plugin that could allow unauthenticated attackers to compromise websites without authentication.

The plugin is a database management tool for popular WordPress form builders, automatically saving form submissions from Contact Form 7, WPforms, Elementor Forms, CRM Perks Forms, and many other contact form plugins to the WordPress database.

The vulnerability is tracked as CVE-2025-7384 (CVSS score 9.8) and is caused by improper handling of user input in the plugin's get_lead_detail function, which fails to sanitize data before performing deserialization operations. This flaw allows unauthenticated attackers to inject malicious PHP objects into the application without requiring any user credentials or special access.

The most severe attack scenario involves the deletion of critical WordPress configuration files, like acessing or deleting the wp-config.php file is deleted. The wp-config.php file contains critical database credentials, security keys, and other essential configuration settings for WordPress installations. Its deletion can render websites completely inaccessible or, in certain configurations, provide attackers with opportunities to achieve remote code execution on the target server.

Affected versions are all versions of the "Database for Contact Form 7, WPforms, Elementor forms" plugin up to and including version 1.4.3

Users are advised to update their plugin to the latest version, which as of this date is version 1.4.5. There is no migitation measure.

Critical WordPress plugin flaw exposes websites to takeover

Read More
Critical flaws reported in WordPress Woffice Theme, update …
Critical vulnerability reported in Everest Forms WordPress Plugin
Critical vulnerability reported in Yii 2 PHP framework
MW WP Form plugin for WordPress has critical …
Hunk Companion WordPress plugin exploited by hackers to …